GNU bug report logs -
#55001
[PATCH] gnu: git: Update to 2.35.2 [fixes CVE-2022-24765].
Previous Next
Reported by: Zhu Zihao <all_but_last <at> 163.com>
Date: Mon, 18 Apr 2022 13:44:01 UTC
Severity: normal
Tags: patch
Done: Mathieu Othacehe <othacehe <at> gnu.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 55001 in the body.
You can then email your comments to 55001 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org
:
bug#55001
; Package
guix-patches
.
(Mon, 18 Apr 2022 13:44:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Zhu Zihao <all_but_last <at> 163.com>
:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org
.
(Mon, 18 Apr 2022 13:44:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
[signature.asc (application/pgp-signature, inline)]
[0001-gnu-git-Update-to-2.35.2-fixes-CVE-2022-24765.patch (text/x-patch, inline)]
From c1ced93b4acc56f9a33d10ebed8b1cefc7dc1b9d Mon Sep 17 00:00:00 2001
From: Zhu Zihao <all_but_last <at> 163.com>
Date: Mon, 18 Apr 2022 21:40:19 +0800
Subject: [PATCH] gnu: git: Update to 2.35.2 [fixes CVE-2022-24765].
See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765
* gnu/packages/version-control.scm (git): Update to 2.35.2.
---
gnu/packages/version-control.scm | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index d77c2e51f6..9902483d76 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -221,14 +221,14 @@ (define git-cross-configure-flags
(define-public git
(package
(name "git")
- (version "2.35.1")
+ (version "2.35.2")
(source (origin
(method url-fetch)
(uri (string-append "mirror://kernel.org/software/scm/git/git-"
version ".tar.xz"))
(sha256
(base32
- "100h37cpw49pmlpf6lcpm1xi578gllf6y9in60h5mxj3cj754s6p"))))
+ "1wq0wrdg81b324y17fr4jaw5zk2i4fah0f99rhndpsywlm7hqgf7"))))
(build-system gnu-build-system)
(native-inputs
`(("native-perl" ,perl)
@@ -248,7 +248,7 @@ (define-public git
version ".tar.xz"))
(sha256
(base32
- "00rqdj2bc3i7pfc16pciiz50ww41jkqg18iy5hi5jnf0y98sgqz4"))))
+ "1s3fbnl2slwd3b5j2281z8jwypsqydd1n7yg90v7vb369njvmsd0"))))
;; For subtree documentation.
("asciidoc" ,asciidoc)
("docbook-xsl" ,docbook-xsl)
--
2.35.1
[Message part 4 (text/plain, inline)]
--
Retrieve my PGP public key:
gpg --recv-keys D47A9C8B2AE3905B563D9135BE42B352A9F6821F
Zihao
Information forwarded
to
guix-patches <at> gnu.org
:
bug#55001
; Package
guix-patches
.
(Mon, 18 Apr 2022 14:25:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 55001 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Update to 2.35.3 instead.
[signature.asc (application/pgp-signature, inline)]
[0001-gnu-git-Update-to-2.35.3-fixes-CVE-2022-24765.patch (text/x-patch, inline)]
From ecae314a30e43a4d706b68dc3345a2b32303e8fe Mon Sep 17 00:00:00 2001
From: Zhu Zihao <all_but_last <at> 163.com>
Date: Mon, 18 Apr 2022 21:40:19 +0800
Subject: [PATCH] gnu: git: Update to 2.35.3 [fixes CVE-2022-24765].
See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765
* gnu/packages/version-control.scm (git): Update to 2.35.3.
---
gnu/packages/version-control.scm | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index d77c2e51f6..1fbfe0b9bd 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -221,14 +221,14 @@ (define git-cross-configure-flags
(define-public git
(package
(name "git")
- (version "2.35.1")
+ (version "2.35.3")
(source (origin
(method url-fetch)
(uri (string-append "mirror://kernel.org/software/scm/git/git-"
version ".tar.xz"))
(sha256
(base32
- "100h37cpw49pmlpf6lcpm1xi578gllf6y9in60h5mxj3cj754s6p"))))
+ "18hgw3g4vc78nk6lic2sbw0h22bwbh6a0qnb63zrzvgjkd7xps8m"))))
(build-system gnu-build-system)
(native-inputs
`(("native-perl" ,perl)
@@ -248,7 +248,7 @@ (define-public git
version ".tar.xz"))
(sha256
(base32
- "00rqdj2bc3i7pfc16pciiz50ww41jkqg18iy5hi5jnf0y98sgqz4"))))
+ "0973y7g356fjyrqxgvac04g3qhf6fbs3lzpizl1skkri0zh7x357"))))
;; For subtree documentation.
("asciidoc" ,asciidoc)
("docbook-xsl" ,docbook-xsl)
--
2.35.1
[Message part 4 (text/plain, inline)]
--
Retrieve my PGP public key:
gpg --recv-keys D47A9C8B2AE3905B563D9135BE42B352A9F6821F
Zihao
Information forwarded
to
guix-patches <at> gnu.org
:
bug#55001
; Package
guix-patches
.
(Mon, 18 Apr 2022 15:55:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 55001 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi Zihao,
Is this not a Windows-only vulnerability and bugfix release (also
CVE-2022-24767)?
Greg
On Mon, Apr 18, 2022 at 9:44 AM Zhu Zihao <all_but_last <at> 163.com> wrote:
>
> --
> Retrieve my PGP public key:
>
> gpg --recv-keys D47A9C8B2AE3905B563D9135BE42B352A9F6821F
>
> Zihao
>
[Message part 2 (text/html, inline)]
Information forwarded
to
guix-patches <at> gnu.org
:
bug#55001
; Package
guix-patches
.
(Mon, 18 Apr 2022 16:05:01 GMT)
Full text and
rfc822 format available.
Message #14 received at 55001 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Greg Hogan <code <at> greghogan.com> writes:
> Hi Zihao,
>
> Is this not a Windows-only vulnerability and bugfix release (also CVE-2022-24767)?
>
> Greg
>
> On Mon, Apr 18, 2022 at 9:44 AM Zhu Zihao <all_but_last <at> 163.com> wrote:
>
> --
> Retrieve my PGP public key:
>
> gpg --recv-keys D47A9C8B2AE3905B563D9135BE42B352A9F6821F
>
> Zihao
Hi.
https://www.phoronix.com/scan.php?page=news_item&px=Git-CVE-2022-24765
This article says "likely due to only affect Microsoft Windows". I
haven't test this CVE on *nix systems.
If it doesn't affect Guix systems, should I remove "[fixes
CVE-2022-24765]" in the git commit message or leave it there?
--
Retrieve my PGP public key:
gpg --recv-keys D47A9C8B2AE3905B563D9135BE42B352A9F6821F
Zihao
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org
:
bug#55001
; Package
guix-patches
.
(Mon, 18 Apr 2022 17:34:01 GMT)
Full text and
rfc822 format available.
Message #17 received at 55001 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
And now git 2.36 has been released.
On Mon, Apr 18, 2022 at 10:25 AM Zhu Zihao <all_but_last <at> 163.com> wrote:
>
> Update to 2.35.3 instead.
>
>
> --
> Retrieve my PGP public key:
>
> gpg --recv-keys D47A9C8B2AE3905B563D9135BE42B352A9F6821F
>
> Zihao
>
[Message part 2 (text/html, inline)]
Information forwarded
to
guix-patches <at> gnu.org
:
bug#55001
; Package
guix-patches
.
(Mon, 18 Apr 2022 18:04:01 GMT)
Full text and
rfc822 format available.
Message #20 received at 55001 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Zhu Zihao schreef op di 19-04-2022 om 00:02 [+0800]:
>
> Hi.
>
> https://www.phoronix.com/scan.php?page=news_item&px=Git-CVE-2022-24765
>
> This article says "likely due to only affect Microsoft Windows". I
> haven't test this CVE on *nix systems.
>
> If it doesn't affect Guix systems, should I remove "[fixes
> CVE-2022-24765]" in the git commit message or leave it there?
According to <https://lwn.net/Articles/891112/#Comments> and its
comments, it affects ‘multi-user (*) Linux (**) systems’ as well, if
someone has their git repo inside /tmp. (Does anyone actually do
that?)
(*) I would think this includes otherwise single-user systems with a
compromised daemon as well?
(**) Presumably also GNU/Hurd and the BSDs.
Greetings,
Maxime.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org
:
bug#55001
; Package
guix-patches
.
(Tue, 19 Apr 2022 09:22:02 GMT)
Full text and
rfc822 format available.
Message #23 received at 55001 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Greg Hogan <code <at> greghogan.com> writes:
> And now git 2.36 has been released.
A new patch that updates to 2.36 is uploaded. Thanks for your mention :)
[signature.asc (application/pgp-signature, inline)]
[0001-gnu-git-Update-to-2.36.0-fixes-CVE-2022-24765.patch (text/x-patch, inline)]
From bad9eea70d56ec9ace36f7f62c5ea7c8f3e399a3 Mon Sep 17 00:00:00 2001
From: Zhu Zihao <all_but_last <at> 163.com>
Date: Mon, 18 Apr 2022 21:40:19 +0800
Subject: [PATCH] gnu: git: Update to 2.36.0 [fixes CVE-2022-24765].
See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765
* gnu/packages/version-control.scm (git): Update to 2.36.0.
---
gnu/packages/version-control.scm | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index d77c2e51f6..ff9c6f7c14 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -221,14 +221,14 @@ (define git-cross-configure-flags
(define-public git
(package
(name "git")
- (version "2.35.1")
+ (version "2.36.0")
(source (origin
(method url-fetch)
(uri (string-append "mirror://kernel.org/software/scm/git/git-"
version ".tar.xz"))
(sha256
(base32
- "100h37cpw49pmlpf6lcpm1xi578gllf6y9in60h5mxj3cj754s6p"))))
+ "1ly13j37h1y8bgcj3h0cl43vcpwk9j4gsasssk8gar44cp0vypmg"))))
(build-system gnu-build-system)
(native-inputs
`(("native-perl" ,perl)
@@ -248,7 +248,7 @@ (define-public git
version ".tar.xz"))
(sha256
(base32
- "00rqdj2bc3i7pfc16pciiz50ww41jkqg18iy5hi5jnf0y98sgqz4"))))
+ "0p6vc6nyaibx2lxirjj2nm5spk5q6svz8l3w0pqnaa3i7l7c6qy0"))))
;; For subtree documentation.
("asciidoc" ,asciidoc)
("docbook-xsl" ,docbook-xsl)
--
2.35.1
[Message part 4 (text/plain, inline)]
--
Retrieve my PGP public key:
gpg --recv-keys D47A9C8B2AE3905B563D9135BE42B352A9F6821F
Zihao
Information forwarded
to
guix-patches <at> gnu.org
:
bug#55001
; Package
guix-patches
.
(Tue, 19 Apr 2022 14:09:01 GMT)
Full text and
rfc822 format available.
Message #26 received at 55001 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
This update built successfully for me, and also all dependent packages with
'git' in the name:
./pre-inst-env guix refresh -l git | cut -d: -f2- | tr ' ' '\n' | grep git |
xargs ./pre-inst-env guix build
On Tue, Apr 19, 2022 at 5:21 AM Zhu Zihao <all_but_last <at> 163.com> wrote:
>
> Greg Hogan <code <at> greghogan.com> writes:
>
> > And now git 2.36 has been released.
>
> A new patch that updates to 2.36 is uploaded. Thanks for your mention :)
>
>
> --
> Retrieve my PGP public key:
>
> gpg --recv-keys D47A9C8B2AE3905B563D9135BE42B352A9F6821F
>
> Zihao
>
[Message part 2 (text/html, inline)]
Information forwarded
to
guix-patches <at> gnu.org
:
bug#55001
; Package
guix-patches
.
(Sat, 23 Apr 2022 04:22:02 GMT)
Full text and
rfc822 format available.
Message #29 received at 55001 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Ping for response.
--
Retrieve my PGP public key:
gpg --recv-keys D47A9C8B2AE3905B563D9135BE42B352A9F6821F
Zihao
[signature.asc (application/pgp-signature, inline)]
Reply sent
to
Mathieu Othacehe <othacehe <at> gnu.org>
:
You have taken responsibility.
(Wed, 27 Apr 2022 09:34:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Zhu Zihao <all_but_last <at> 163.com>
:
bug acknowledged by developer.
(Wed, 27 Apr 2022 09:34:02 GMT)
Full text and
rfc822 format available.
Message #34 received at 55001-done <at> debbugs.gnu.org (full text, mbox):
Hello,
Pushed as 4fb6ef6636acd7608889639c1b2e492517256f76.
Thanks,
Mathieu
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Wed, 25 May 2022 11:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 1 year and 334 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.